* Strip path components and keep only filename-safe chars. file_name comes * from the network (web composer), so treat it as untrusted even though the * composer controls it.
(name: string)
| 53 | * composer controls it. |
| 54 | */ |
| 55 | function sanitizeFileName(name: string): string { |
| 56 | const base = basename(name).replace(/[^a-zA-Z0-9._-]/g, '_') |
| 57 | return base || 'attachment' |
| 58 | } |
| 59 | |
| 60 | function uploadsDir(): string { |
| 61 | return join(getClaudeConfigHomeDir(), 'uploads', getSessionId()) |